This Is How The Dark Side Of Innovation Can Plague Your Business

Time is not a luxury available in any business market. And while no business wants to—or can afford to—undervalue the importance of cybersecurity, it is sometimes overlooked in the push to host an online application or a some new feature for customers.

There was a time when security was only added on as an afterthought. Those days are (mostly) over, but even with security baked in early, there are two forces at work that make it tough to keep up:

Technology is everywhere. There is virtually no part of our lives that doesn’t have some internet-based or app component to it.

Businesses are under incredible pressure. Once they bring product to market, they must constantly outdo themselves, and the pace of change can by dizzying and financially risky.

The Cost of Going Live With Vulnerabilities

Cyber attackers are constantly looking for new ways to achieve their nefarious goals. If they find a vulnerability in your software, hardware, or service, you can bet they’ll exploit it for all it’s worth. And sometimes these security flaws are discovered by white hats doing research. While this second scenario is preferable, you’ll still need to scramble to issue a fix. Either way, all the momentum and business value you created with your new or updated product can (and likely will) vanish in an instant. Even though business leaders know this, the pull to get something—anything—out there can be much stronger than the desire to wait for security perfection, especially if they’ve embraced the “fail-fast” mantra. And on the flip side, developers are pressured to reserve such digital acrobatics for the sexier stuff, so security often gets pushed to the side.

At The Intersection of Quality And Risk

When people talk about product quality, they are usually referring to the features and workflows that behave the way they’re supposed to, at least from the end-user side. But that doesn’t reflect whether the underlying code and functions contain any potential vulnerabilities. From a marketing perspective, the concept of the “whole product” considers not just the actual goods, but everything customers need, including documentation, training, support, etc. Security is not traditionally included in the whole product, but considering the bad customer experience of being hacked by the same technology they’ve employed, it probably should be.

Risk management, on the other hand, is about identifying and controlling activities within an enterprise to minimize the effects of risk on the organization’s assets and revenue. Traditionally, risk management focused on financial risk, but cyber risk—which can have significant financial consequences—has increasingly become part of the overall risk program. No longer just IT’s responsibility, it has board-level visibility and consequences.

Unclear Ownership of Product Security

In most companies, goods are owned by product managers who define the overall strategy and requirements for its success. And while security is often—one might even optimistically say almost always—on top of the mind, the focus is mainly about aligning functional requirements with customer needs. Having said that, the word “security” doesn’t appear anywhere on the product manager Wikipedia page. It’s a telling omission.

In the IT world, a defense-in-depth approach layers physical, technical, and administrative security controls throughout the infrastructure. Layering security throughout the product development lifecycle is just as critical. It requires not just software, environmental, and hardware controls, but also secure coding practices, as well as QA that looks for security problems in addition to functional issues.

It Literally JUST Happened Again

Last week, there was yet another major hack revealed that illustrates the point. A sophisticated attack that enabled hackers to gain control of around 50 million Facebook accounts exploited vulnerabilities in the “View As” feature. The feature exists to let users see how their profile looks to other people. It’s useful to help people determine which privacy settings they want to set. “View As” behaved the way it was supposed to from purely a user functionality perspective. But there was a weakness in the code—in the specific way it was implemented—that exposed information about users’ access tokens which could be used to log in and control their accounts.

It’s Only Going To Get Harder

More and more, innovation is being driven by data. Apps, services, and devices are creating and collecting massive volumes, which can be consolidated and crunched to create new apps, services, and devices. This data is a valuable asset—to businesses and to hackers. But, it’s not just about securing data. As everything is increasingly connected to everything else, it provides us with cool new stuff, and it provides attackers with opportunities to find a way to get to the data they’re ultimately looking for (which is what happened in the latest Facebook breach) or to control a machine or device as part of a botnet or for cryptomining. More data and more connections are good for innovation, but so is security. Speed to market is important, but given the high stakes involved, security is even more important and needs to be an integral part of the go-to-market process.

Spent her 20+ year career advising and working for organizations ranging from small startups to Fortune 1000 enterprises, with both in-house and agency experience. A seasoned writer with frequent content contributions to various media platforms.

Post a comment

Save my name, email, and website in this browser for the next time I comment.

Stay Connected

134Followers

245Fans

303Followers

3Followers

Get more stuff

like this in your inbox

We respect your privacy and take protecting it seriously

An Introduction To Carlos Solari

Writing exclusively for The Threat Report, Carlos Solari brings significant wisdom and experience to the security conversation, aligning what he's learned through the years, both personally and professionally, with the current challenges we face in the modern world of technology. From his childhood in Columbia to his days at the FBI to his role as White House CIO, Carlos will share his unique knowledge of key areas like collaboration, communication, investigation, forensics, attack, defense, rule of law, accountability, and the ongoing relationship between science and technology—including the reality of what happens when these things break down. Every Sunday, his Lessons will help us visualize the evolution of cybersecurity and its inherent need for better design and application—lessons we must come to understand if we hope to survive in the digital age.
Click here to read Articles

The materials on this website may not be modified, distributed, posted or transmitted without the prior written consent of Hacker Combat LLC. 1997-2018 All rights reserved.

The information contained in this website is provided for reference purposes only and not for investment or for any other purposes. For complete information please contact us directly. Please review the Terms of Use before using this site. Your use of the site indicates your agreement to be bound by the Terms of Use.